UPDATED: Researcher says WhatsApp can reissue encryption keys for offline devices, compromising privacy. WhatsApp says there is no backdoor and design decision saves millions of messages
Facebook has denied claims by a security researcher that a ‘backdoor’ within WhatsApp could allow governments or others to intercept supposedly encrypted messages.
The Facebook-owned messaging application has been especially vocal about its encryption capabilities as it looks to expand its reach and penetrate the business market. Any suggestion that these features have been diluted harm those ambitions and damage its reputation.
According to The Guardian, WhatsApp is able to force the creation of new encryption keys for offline users so messages that aren’t delivered can be sent if a recipient changes their SIM card or device for example.
However this undermines the strength of the end-to-end encryption, which relies on both the sender and recipient exchanging a single set of keys. What’s more, the recipient has no idea this has happened and the sender is only made aware if certain settings are enabled.
Tobias Belter, a security researcher at the University of California, Berkeley, discovered the behaviour and told Facebook in April 2016. However Facebook told him it knew about the issue and that it was “expected behaviour.”
“In WhatsApp’s implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact’s security code has changed,” the company told the newspaper. “We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp.
“This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”
WhatsApp boasts that not even its staff could access the content of messages but the discovery means governments could demand the company hand over such information by forcing the application to change the keys.
Government surveillance risk
Given the recent Investigatory Powers Act in the UK and the ongoing state surveillance programmes in the US, this is a serious possibility, especially as many have called for WhatsApp, Apple and others to implement deliberate backdoors into their products.
“This really means that end-to-end encryption, when implemented using this method, isn’t the secure message transport algorithm most users would have been expecting, and more importantly requiring,” said David Kennerly, director of threat research at Webroot. “This calls into question what users should be expecting when offerings claim to provide full end-to-end encryption.
“The potential for governmental abuses from this misuse of encryption with WhatsApp is alarming. This is a serious vulnerability – WhatsApp needs to know how keys are protected in order to keep the global communications of over a billion users safe and private,” added Kevin Bocek, chief cybersecurity strategist at Venafi.
“This potential gap in security is a reminder for businesses of the power of cryptographic keys and how a lack of knowledge regarding their use can have serious consequences. Systems need to be in place to protect and change keys quickly, as and when needed.
“This is critical at a time when governments worldwide are attempting to break down and intrude on the use of encryption to protect privacy – what has become a basic right for both people and machines worldwide.”
However WhatsApp and Facebook deny the accusations.
“The Guardian posted a story this morning claiming that an intentional design decision in WhatsApp that prevents people from losing millions of messages is a ‘backdoor’ allowing governments to force WhatsApp to decrypt message streams,” a WhatsApp spokesperson told Silicon. “This claim is false.
“WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor. The design decision referenced in the Guardian story prevents millions of messages from being lost, and WhatsApp offers people security notifications to alert them to potential security risks.
“WhatsApp published a technical white paper on its encryption design, and has been transparent about the government requests it receives, publishing data about those requests in the Facebook Government Requests Report.”
WhatsApp’s privacy policies have come under scrutiny ever since Facebook bought the service in 2014. Plans to share data between the application and its parent company attracted significant criticism from campaigners and the practice has since been suspended in the EU.